Skip to main content
LiMP VPN
All news

AirDrop & Quick Share Flaws Put 5 Billion Devices at Risk

AirDrop & Quick Share Flaws Put 5 Billion Devices at Risk

In short: Researchers at CISPA reverse-engineered the proximity file-sharing protocols behind Apple AirDrop and Android Quick Share and found six vulnerabilities affecting over 5 billion devices across iOS, macOS, Android and Windows. Some can crash a nearby iPhone or Mac with no tap and no prior connection; the worst, in Quick Share for Windows, could lead to remote code execution. Apple and Google have started patching. The practical defence is to keep AirDrop and Quick Share set to "Contacts Only" or off when you are not using them, and to install every available update.

What happened

On 30 June 2026 Arash Ale Ebrahim and Nils Ole Tippenhauer of the CISPA Helmholtz Center for Information Security published "Protocol Prying", a study of the application-layer protocols behind Apple AirDrop and Android Quick Share. Both are proprietary and largely undocumented, so their security had never been examined in depth. The researchers reconstructed the protocols from binary analysis, built a custom fuzzer for AirDrop, and came away with six distinct vulnerabilities.

The scope is large: over 5 billion active devices support one of the two systems, spanning iPhones, Macs, Android phones and Windows laptops. If you want the bigger picture on how much your phone quietly exposes, our explainer on how to protect your phone from tracking is a good starting point. The key detail: these are proximity attacks. An attacker only needs a Wi-Fi-capable laptop within roughly 10–30 metres — no pairing, no contact exchange, no shared network and, in two cases, no interaction at all from the victim.

What the six flaws do

Three of the bugs sit in Apple's AirDrop and all three cause denial of service — they crash sharingd, the background service that also powers AirPlay, Handoff, the universal clipboard and Continuity Camera. One is a Swift fatalError in the request router, one is unbounded XML property-list recursion that exhausts the thread stack, and one is a null-pointer dereference in the HTTP parser triggered by malformed headers. Two of these fire before any authentication, against an Apple device set to receive from "Everyone", with no prompt shown.

The other three are in Android's Quick Share. Two are protocol-layer flaws in Samsung's implementation: frames processed before the key exchange completes, and an encryption bypass that lets an attacker inject certain unencrypted frames after the handshake. The sixth — and most serious — is a heap use-after-free in Google's Quick Share client for Windows, caused by a race between concurrent connections; unlike the crash bugs, it opens the door to potential remote code execution.

What it means for your data

For most people the immediate risk is disruption rather than data theft: an attacker in range can repeatedly knock out AirDrop and the services tied to it on your iPhone or Mac. That is annoying, but the deeper worry is what pre-authentication and encryption-bypass flaws imply — code that trusts incoming signals before verifying who sent them is exactly the kind of weakness that leads to bigger compromises over time. The Windows use-after-free is the clearest example, since memory-corruption bugs like it are the usual route to full device takeover. If you are worried a device or account of yours has already been exposed, walk through our guide on how to check for a personal-data leak.

How can you protect yourself?

Set sharing to "Contacts Only" or off. On iPhone and Mac, leaving AirDrop on "Everyone" is what enables the no-click crashes; switch it to "Contacts Only", or turn it off entirely when you are not sending a file. Do the same for Quick Share on Android.

Install every update. Apple has already fixed one AirDrop flaw and assigned it a CVE, and Google has patched the Windows use-after-free. Keeping iOS, macOS, Android and the Windows Quick Share app current is the single most effective step.

Be cautious in crowded public spaces. Because the attack works over the air from tens of metres away, airports, cafés and transport hubs are where a stranger could reach your device. Turning sharing off in those settings removes the exposure.

Practise general device hygiene. Review which features are broadcasting, keep Bluetooth and Wi-Fi off when unused, and follow the basics in our explainer on what a VPN protects you from — and what it does not.

Where does a VPN fit in?

Be honest about the limits: this is a radio-proximity attack on the sharing service itself, so a VPN cannot block it — that job belongs to turning sharing off and installing updates. What a VPN does cover is the network layer around it. The same crowded public Wi-Fi where a stranger could reach your AirDrop is also where ordinary traffic gets intercepted, so encrypting your connection and hiding your real IP shrinks what anyone nearby can learn about you. See how LiMP VPN handles encryption and pick a plan on our pricing page. Treat it as one layer of privacy, alongside safe sharing settings and prompt updates.

Sources

This report is based on the CISPA study "Protocol Prying" (arXiv 2606.26967), covered by Help Net Security and Anti-Malware.ru.

AirDrop & Quick Share Flaws Put 5 Billion Devices at Risk | LiMP VPN